Refactor patch for properly fixing CVE-2016-5636

2016-07-11 11:15:54 +02:00 · 2016-07-11 11:15:54 +02:00 · 8231a6035b
parent e8d957d10d
commit 8231a6035b
3 changed files with 50 additions and 21 deletions
--- a/00209-CVE-2016-5636-buffer-overflow-in-zipimport-module-fix.patch
+++ b/00209-CVE-2016-5636-buffer-overflow-in-zipimport-module-fix.patch
@ -0,0 +1,39 @@
+From ae99040f6c1f329d6b6c984f39c920f09d383925 Mon Sep 17 00:00:00 2001
+From: Charalampos Stratakis <cstratak@redhat.com>
+Date: Mon, 11 Jul 2016 11:21:29 +0200
+Subject: [PATCH] CVE-2016-5636 fix
+
+---
+ Modules/zipimport.c | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+diff --git a/Modules/zipimport.c b/Modules/zipimport.c
+index 8fe9195..f72e89f 100644
+--- a/Modules/zipimport.c
+++ b/Modules/zipimport.c
+@@ -1071,6 +1071,10 @@ get_data(PyObject *archive, PyObject *toc_entry)
+                           &date, &crc)) {
+         return NULL;
+     }
+    if (data_size < 0) {
+        PyErr_Format(ZipImportError, "negative data size");
+        return NULL;
+    }
+ 
+     fp = _Py_fopen_obj(archive, "rb");
+     if (!fp) {
+@@ -1111,6 +1115,11 @@ get_data(PyObject *archive, PyObject *toc_entry)
+     }
+     file_offset += l;           /* Start of file data */
+ 
+    if (data_size > LONG_MAX - 1) {
+        fclose(fp);
+        PyErr_NoMemory();
+        return NULL;
+    }
+     bytes_size = compress == 0 ? data_size : data_size + 1;
+     if (bytes_size == 0)
+         bytes_size++;
+-- 
+2.7.4
+
--- a/00209-prevent-buffer-overflow-in-zipimport-module.patch
+++ b/00209-prevent-buffer-overflow-in-zipimport-module.patch
@ -1,16 +0,0 @@
-diff --git a/Modules/zipimport.c b/Modules/zipimport.c
-index 06abb31..914bf5d 100644
--- a/Modules/zipimport.c
-+++ b/Modules/zipimport.c
-@@ -1112,6 +1112,11 @@ get_data(PyObject *archive, PyObject *toc_entry)
-     }
-     file_offset += l;           /* Start of file data */
- 
-+    if (data_size > LONG_MAX - 1) {
-+        fclose(fp);
-+        PyErr_NoMemory();
-+        return NULL;
-+    }
-     bytes_size = compress == 0 ? data_size : data_size + 1;
-     if (bytes_size == 0)
-         bytes_size++;
--- a/python3.spec
+++ b/python3.spec
@ -140,7 +140,7 @@
 Summary: Version 3 of the Python programming language aka Python 3000
 Name: python3
 Version: %{pybasever}.3
-Release: 10%{?dist}
+Release: 11%{?dist}
 License: Python
 Group: Development/Languages

@ -730,11 +730,14 @@ Patch203: 00203-disable-threading-test-koji.patch
 # openssl requires DH keys to be > 768bits
 Patch204: 00204-increase-dh-keys-size.patch

-# https://bugs.python.org/issue26171
+# 00209 #
+# CVE-2016-5636: http://seclists.org/oss-sec/2016/q2/560
+# rhbz#1345859: https://bugzilla.redhat.com/show_bug.cgi?id=1345859
 # https://hg.python.org/cpython/rev/10dad6da1b28/
+# https://hg.python.org/cpython/rev/5533a9e02b21
 # Fix possible integer overflow and heap corruption in zipimporter.get_data()
-# FIXED UPSTREAM
-Patch209: 00209-prevent-buffer-overflow-in-zipimport-module.patch
+# FIXED UPSTREAM: https://bugs.python.org/issue26171
+Patch209: 00209-CVE-2016-5636-buffer-overflow-in-zipimport-module-fix.patch

 # 00210 #
 # CVE-2016-0772 python: smtplib StartTLS stripping attack
@ -1947,7 +1950,10 @@ rm -fr %{buildroot}
 # ======================================================

 %changelog
-* Fri Jul 08 2016 Charalampos Stratakis <cstratak@redhat.com> - 3.4.3-10
+* Mon Jul 11 2016 Charalampos Stratakis <cstratak@redhat.com> - 3.4.3-11
+- Refactor patch for properly fixing CVE-2016-5636
+
+* Mon Jul 11 2016 Charalampos Stratakis <cstratak@redhat.com> - 3.4.3-10
 - Fix test_pyexpat failure with Expat version of 2.2.0

 * Fri Jun 24 2016 Tomas Orsava <torsava@redhat.com> - 3.4.3-9